Google Git
Sign in
go / vulndb / fafb3ad656efa9238b99231b0b9d37da1fc485e9^! / .
commitfafb3ad656efa9238b99231b0b9d37da1fc485e9[log] [tgz]
authorTatiana Bradley <tatianabradley@google.com>Wed Dec 20 15:05:34 2023 -0500
committerTatiana Bradley <tatianabradley@google.com>Tue Jan 02 18:32:43 2024 +0000
treee78c9e88b7b9a8eb1e09ba3aef1c3d3475e963ba
parenta2ef760d3919db3645a96a6730bc9cb26f695bab [diff]
data/reports: add GO-2023-2394.yaml

Aliases: CVE-2023-50463, GHSA-rxg9-hgq7-8pwx

Fixes golang/vulndb#2394

Change-Id: Ibe2237125719d2b90551a8c1e5b409804a97b4b2
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/551916
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tim King <taking@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/data/osv/GO-2023-2394.json b/data/osv/GO-2023-2394.json
new file mode 100644
index 0000000..3c8196f
--- /dev/null
+++ b/data/osv/GO-2023-2394.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-2394",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-50463",
+    "GHSA-rxg9-hgq7-8pwx"
+  ],
+  "summary": "Spoofed source IP address in github.com/shift72/caddy-geo-ip",
+  "details": "The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/shift72/caddy-geo-ip",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/shift72/caddy-geo-ip"
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50463"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/shift72/caddy-geo-ip/issues/4"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-2394"
+  }
+}
\ No newline at end of file

diff --git a/data/reports/GO-2023-2394.yaml b/data/reports/GO-2023-2394.yaml
new file mode 100644
index 0000000..2dc1078
--- /dev/null
+++ b/data/reports/GO-2023-2394.yaml

@@ -0,0 +1,20 @@
+id: GO-2023-2394
+modules:
+    - module: github.com/shift72/caddy-geo-ip
+      vulnerable_at: 0.6.0
+      packages:
+        - package: github.com/shift72/caddy-geo-ip
+          skip_fix: Relies on quic-go which doesn't build on Go 1.18.
+summary: Spoofed source IP address in github.com/shift72/caddy-geo-ip
+description: |-
+    The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof
+    their source IP address via an X-Forwarded-For header, which may bypass a
+    protection mechanism (trusted_proxy directive in reverse_proxy or IP address
+    range restrictions).
+cves:
+    - CVE-2023-50463
+ghsas:
+    - GHSA-rxg9-hgq7-8pwx
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-50463
+    - report: https://github.com/shift72/caddy-geo-ip/issues/4